Sponsored link
Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for June 12, 2003
Embedded Linux and the GPL
Linux and embedded systems are a natural combination. Linux provides the level of control and ability to customize that embedded vendors need; it can also be pared down into a (relatively) small footprint. And, of course, there are no per-unit royalties to be paid; that is a big deal for many applications. It is not surprising that an increasing number of gadgets have a Linux kernel running inside them.Much of the code running in those systems is licensed under the GPL. While no royalties need be paid for the distribution of GPL-licensed code, there are other obligations which must be met. In particular, a Linux-powered gadget is supposed to come with either (1) a copy of the source for the code running inside, or (2) a written offer to ship the source anytime in the next three years. While some companies (e.g. TiVo) make their source available, it would seem that some other embedded system vendors are forgetting about this obligation when they ship their boxes.
Recently, Andrew Miklas noticed that his Linksys WRT54G wireless access point was running GPL-licensed software, including a 2.4.5 kernel and the BusyBox tool suite. The product contains no source, offer of source, or even acknowledgement of the GPL software running inside. Attempts to obtain source from Linksys have, so far, been unsuccessful. The Free Software Foundation is now taking an interest in this case.
Linksys, it seems, is not alone in this behavior. Products from Belken, Buffalo Technology, and QLogic have also been shown to have Linux inside, with no source forthcoming. Lest one despair completely, however, it's worth looking at Colm MacCárthaigh's experience with his Dell TrueMobile 1184 router. Not only was he able to (eventually) get the source from Dell; his efforts also convinced Dell to include a source CD with the product.
Mr. MacCárthaigh's experience is worth noting for a couple of reasons. The first is that Dell was simply unaware that it was supposed to make source available. In most GPL violation cases, the real problem is that the company involved is unaware of its obligations under the license; GPL violations tend to be unintentional. With some persistence - and politeness - it is usually possible to get these companies to move into compliance with the GPL. The Free Software Foundation has been very good at this in the past; in contrast with its loudness on other fronts, the FSF treats GPL problems with discretion and tact. As a result, most GPL violators are brought around to compliance without being pushed into full-scale defensive lockdown.
The other thing to note is that Mr. MacCárthaigh did not get anything all that exciting for his efforts: a stock 2.2.14 kernel with a widely-available patch set. In the Linksys case, many Linux users are getting worked up about the prospect of extracting a new set of wireless network drivers by forcing a release of code. These users will almost certainly be disappointed. The drivers in question will be implemented as loadable modules which, until some disgruntled kernel developer proves otherwise in court, are legal to distribute for use with the kernel. Linksys owes its customers the source for its Linux kernel, BusyBox, and any other GPL software that it includes in its product. But it is under no obligation to open up any proprietary drivers that it is using.
The truly sad part is that embedded system vendors need not even provide source which can be rebuilt and loaded into their devices. As reported here in May, there appears to be no legal impediment that can prevent systems vendors from requiring kernels to be signed by a private key before they can be run. You can look at what your Linux-powered device is running (if you trust the vendor to provide the true source for the binaries in the box), but you may not be able to change it.
Even so, it is important that distributors of GPL-licensed software live up to the obligations imposed by that license. There is a vast body of highly capable software which is available under the GPL, and all that's required to be able to use it is to make the source available under the same license. That is a small price to pay for free (of charge) access to software that, by some estimates, is worth over a billion dollars.
Update: since this article was first published, Linksys has stated that it will release the source for the GPL-licensed code running in the WRT54G router.
LZW is Free! (Almost)
[This article was contributed by Joe 'Zonker' Brockmeier]
The LZW patent is nearing its expiration date. Appropriately enough, patent 4,558,302 expires next Friday, June 20 -- plan your parties accordingly. At least if you're in the U.S. -- the patent will continue to be valid for a little longer in several other countries.
Unisys sat on the patent for nine years before it attempted to start collecting royalties on software that made use of LZW to create images in the Graphics Interchange Format (GIF), and for the use of GIFs on websites. Unisys really started putting the pressure on in 1999, however, asking web site operators to fork over a fee of $5,000 just to use GIFs on a publically-accessible website or an Intranet site. You could also get a license to cover both a "Billboard" site and an Intranet for the low, low fee of $7,500.
Pressure is a relative term. Unisys was never successful in garnering the licensing fees from the majority of sites that use GIFs, nor did they conduct an RIAA-style search for sites using GIFs to send threatening letters to. And, compared to Amazon's "one-click" patent, the LZW patent looks almost reasonable.
Nevertheless, the Unisys money-grab inspired a deep loathing in quite a few Webmasters and other users who had already been using GIFs or the LZW algorithm for quite some time, and who resented the sudden demand for royalties. Thus the Burn All GIFs day was born. Thanks to their GIF efforts, Unisys has the dubious honor of being one of the first companies to awaken the Free and Open Source software communities to the danger of software patents.
Don Marti, webmaster for the Burn All GIFs site, said it's yet to be seen how successful the Burn All GIFs project has been.
The W3C's decision to declare itself a patent-shenanigans-free zone is a positive development, and other information technology standards bodies should also drop the idea of "UFO" (Uniform Fee Only) patent policies, which impose prohibitive transaction costs on free software and small companies.
Marti also noted that the W3C's royalty-free policy is a step forward for Free and Open Source software developers.
Of course, it's not all about GIFs. The LZW algorithm is also found in a number of other graphics formats and in programs that compress data. GIFs are merely the most widely-recognized use of LZW. For example, LZW is used in the Unix "compress" utility, which led to the creation of the widely-used gzip as a replacement.
It's unlikely that the Free and Open Source community will rush back to using the LZW algorithm, now that it has been effectively replaced. But even as it re-enters the public domain, the LZW tale serves as a cautionary tale of the dangers of software patents. It won't be the last.
Penguin Computing acquires Scyld
Penguin Computing announced on June 10 the signing of an agreement to acquire Scyld Computing, the Beowulf cluster software and services company started by Donald Becker. This acquisition is a significant step being taken by one of the true survivors among Linux companies. So we dropped Penguin Computing founder Sam Ockman a few questions; here's what he had to say.Why has Penguin Computing decided to acquire Scyld at this time?
Most of our business has historically come from our enterprise customers. About a year ago they started to get very interested in high performance computing (HPC). Now an increasing number of our customers have their own clusters.
Corporate customers really care about "total cost of ownership". It's a term that is used derisively in the Linux community, but in the enterprise it's very important. Scyld has engineered the best management framework for clusters, so it was a natural fit for us to buy them.
How do you expect Penguin's cluster offerings to change as a result of the Scyld acquisition?
Simultaneously, we will be concentrating on longer term goals. We have a very clear vision as to where clustering is going. There is going to be a lot of innovation in the next few years.
Based on extensive input from the existing customers of both companies, we have already begun work on the next generation of software and hardware solutions for the HPC space.
What are your expectations for the Linux cluster market over the next few years?
Job scheduling and resource utilization will become more and more important as clusters are shared throughout a corporation. We're working on some very elegant solutions to these problems.
Some of your competitors have been targeting specific markets - bioinformatics, for example. Does Penguin anticipate taking a similar path with its offerings?
What's great about Scyld is that it's an analogous situation. Don Becker, the founder and CTO of Scyld is the inventor of Beowulf. So Scyld's software and knowledge have grown with the market.
That said we're now seeing considerable growth in biotech, Computational Fluid Dynamics (CFD) and Electronic Design Automation (EDA). We're gaining customers that are using clusters in each of these fields. As we do, our knowledge increases, and new customers come our way, often recommended by word of mouth.
But it's not just those three fields either; it's amazing some of the things our clusters are being used for. Clusters are being used almost everywhere there is a computationally intensive problem. And it's not just in places where supercomputers would have been used before. Because the cost of a cluster is at least an order of magnitude less than a monolithic supercomputer, it has opened up whole new markets.
Penguin Computing has managed to survive in a market (Linux-installed systems) where many others have failed. What have you done differently to be able to succeed in this way?
Another way of phrasing that question, perhaps, is: why should a customer buy a server (or a cluster) from you, rather than from a large vendor like Dell?
Dell's an interesting comparison choice. If you want real support from them you have to buy something called DLine Plus. For fifteen problems over three years you pay $2,999 extra.
At Penguin Computing we include all of our experience, and completely support the server for no additional charge. We've been engineering and supporting Linux servers longer than Dell and IBM.
On the cluster front, it's an even easier choice. With the acquisition of Scyld we have the best management framework for Beowulf clustering. And Don and his team have more knowledge about Beowulf than anyone else. After all Don invented it!
Scyld has a number of resellers, including Hewlett-Packard, and we definitely value those relationships. So, HP or any of Scyld's other resellers is also a very good choice for clusters.
Are you willing to release any sort of annual revenue information for Penguin Computing? Or, perhaps, some sort of server volume figures?
Does Penguin employ contributors to any free software projects? Which ones?
Another project that is near and dear to our hearts is lm_sensors. We often have to write new code to make lm_sensors work with our next generation servers, and we make sure that we GPL all of that. Some other projects that we've contributed to include LCDproc.
In addition to directly writing code, we do a lot to support the Linux and Open Source community. We're a corporate patron of FSF/GNU and have also donated servers to them (including the server they use to run their mailing lists). Penguin Computing has also given servers to H. Peter Anvin so he could develop RAID-6. Finally, along with BitMover, we provide and host kernel.bkbits.net, which is used by many of the senior kernel developers.
An open letter to SCO
We recently sent the following letter to several contacts at SCO and its public relations agency:
The SCO Group has made repeated claims that Linux contains code taken from proprietary Unix. On the basis of these claims, a $1 billion lawsuit has been filed against IBM, and letters have been sent to many Linux users warning that they may face legal liability. You have publicly compared the Linux community to thieves and liars. What you have not done is to back up your claims in any way, with the result that you have now been hit with legal notices for unfair competitive practices in two countries.The Linux and free software communities take great pride in their ability to develop code which is inferior to none. They have no interest in stealing code from anybody; Linux hackers are not so dishonest, and, frankly, most of them believe that they can do a better job themselves. Linux is an implementation of a number of well-published standards, but it is an original work.
That said, if it turns out that there is stolen code in the Linux kernel (or elsewhere) the community very much wants to know about it. We would like to remove that code and find out how it came to be included in the first place. Anybody who turns out to have contaminated Linux with proprietary code will, to say the least, not be welcome in our community in the future. If this has happened, we want to get to the bottom of it even more than you do. We do not want it to happen again.
You have made grave accusations against our community and caused a great deal of concern in that community and beyond. You now owe it to us to back up those accusations.
You need not - at this point - reveal any proprietary code of yours. But you owe it to us to point out which code in Linux is, by your claims, stolen from you. This code, by virtue of having been distributed by many (including you) in source form, can no longer be held to be confidential; SCO's claims to that regard are unconvincing. You will not violate any confidentiality by simply indicating which code you are taking exception to.
SCO claims that the Linux community would use any such disclosure to remove the evidence ("That's like saying, 'show us the fingerprints on the gun so you can rub them off.'" - Darl McBride in the Wall Street Journal). This claim, too, is unconvincing. The development history of Linux is public and cannot be erased; all the evidence you need can be found on SCO's own distribution disks. There is no way to "rub off" those fingerprints. Yes, the Linux community would quickly remove any code that was shown to be proprietary, but that would not change the evidence for your case and you know it.
Making a demonstration for a limited number of reporters under NDA is inadequate. Your NDA excludes the people who can best make judgements on the origins of code and prevents the development community from addressing any wrongs that may have occurred.
Instead, if you point out the code the Linux community will track down its origins far more quickly and effectively than your lawyers ever could. Your refusal to do so only suggests that you fear exactly that: a careful investigation could show that any common code comes from a freely available source. If your claims are honest and legitimate, you owe it to the community to back them up.
If SCO is serious about its claims, it is time to show some integrity and expose those claims to general scrutiny. Please, SCO, show us the code.
We did actually get a response back from them. Here's SCO's statement:
An SCO representative has since stated that the offending code is in the Journaling Filesystem (JFS), NUMA, and SMP support. JFS is an obvious, large contribution from IBM, and, though it originally comes from OS/2, it could conceivably contain some of SCO's code. JFS is good stuff, but its loss would affect very few Linux users.
The initial NUMA support was contributed by Kanoj Sarcar, then at SGI. IBM has since improved that code, of course. It is well known that Linux SMP support was initially helped by the company then known as Caldera. It has since seen work by a great many people. It is conceivable, though improbable, that a significant amount of proprietary code could have been sneaked in somewhere.
But, without knowledge of the code that SCO objects to, it will be impossible to independently verify whether any of it has been copied or not. SCO continues to hide behind the "confidentiality" of code which has been publicly distributed, with the result that nobody can ascertain whether its claims have merit or not. Perhaps that is the point.
Who is selling SCO stock?
SCO's stock has gone up significantly in value since the company filed its suit against IBM. There has been speculation that the real purpose of the whole operation was to inflate the stock price and give insiders a chance to cash out before it all falls apart. Insider trades must be publicly documented, of course, so we took a moment to see what has happened so far.Perhaps the most interesting filing so far is this S/3A form, first filed in February and since updated several times. It appears that two external stockholders, John R. Wall and Morgan Keegan & Co., have decided to dump an even million shares that they hold. SCO has gone through the whole registration process - at its expense - to make this happen, but the proceeds go directly to the two sellers.
Mr. Wall got his (800,000) shares at the end of 2002 (along with $100,000 in cash) for a $1 million note payable by Vista.com, a company he founded. Those shares, at current prices, are worth nearly $7 millon. Not a bad deal.
Morgan Keegan was retained by the company "to act as an exclusive financial advisor to assist the Company in its analysis, consideration and if appropriate, execution of various financial and strategic alternatives available to it including, but not limited to, securing additional equity and/or debt capital and potential strategic transactions including mergers, acquisitions and joint ventures" (2002 annual report). The cynical among us might conclude that a "strategic alternative" has indeed been chosen. There is, however, no evidence that either of these two large shareholders have anything to do with the lawsuit - they are simply happy beneficiaries.
There have been some recent sales by SCO executives:
- Opinder Bawa has
one
filing for having sold 15,000 shares, and another
for 8,000 shares. He would appear to have sold all the shares he
possesses (but he still has a lot of options).
- Robert Bench
has three filings: 7000
shares, 5000
shares, and 4100
shares.
- Jeff
Hunsaker sold 5000
shares at the beginning of June.
- Darl McBride sold 7000 shares just after the suit was filed.
The record thus shows a small amount of cashing-in as the stock price goes up, but, with the exception of the large sale by John Wall and Morgan Keegan, nothing all that significant. If all this is truly an effort by SCO management to cash out, the people involved have not yet made their move.
Page editor: Jonathan Corbet
Security
Security news
Some interesting publicity
For today's amusement, let's look at this TechWeb article on patch management. In the middle of the article one finds:
The first claim - that a given Linux server gets more updates than a given Windows server - could at least be verified. Whether the figure means anything is another story. Updates to a Linux system cover the vast array of packages available there. Many of them result from active code audits and fix obscure problems that are difficult to exploit. Of the large number of security problems fixed by Linux distributors each year, it is a good bet that most of them are never exploited to compromise even a single system. How many systems have you encountered that are threatened by any of these recently-patched problems?
- The Hangul Terminal
vulnerability ("Since it is not possible to embed a carriage
return into the window title the attacker would then have to convince
the victim to press 'Enter' for it to process the title as a
command...")
- Insecure temporary files in
gzip. It is a local vulnerability, but the chances of it
being used are very small.
- The file vulnerability, which requires an attacker to convince the system administrator to run "file" on a specially-crafted file.
...and so on. It is good that these problems are being fixed, but they do not threaten most users. The updates to that Windows system, instead, are far more likely to be addressing serious vulnerabilities that are being actively exploited.
The second claim in the TechWeb article ("many of the attacks aimed at Windows vulnerabilities are written by Linux experts") requires a response. How, exactly, did they come by this information? It is, after all, rare for authors of malware to include their resumes with the code. This statement is pure slander which has been reported as fact. One can only hope that a correction will be forthcoming.
New vulnerabilities
atftp: buffer overflow
| Package(s): | atftp | CVE #(s): | CAN-2003-0380 | ||||||
| Created: | June 9, 2003 | Updated: | June 12, 2003 | ||||||
| Description: | Rick Patel discovered that atftpd is vulnerable to a buffer overflow when a long filename is sent to the server. An attacker could exploit this bug remotely to execute arbitrary code on the server. Read the full advisory for more information. | ||||||||
| Alerts: |
| ||||||||
eterm: buffer overflow
| Package(s): | eterm | CVE #(s): | |||||||
| Created: | June 9, 2003 | Updated: | June 12, 2003 | ||||||
| Description: | "bazarr" discovered that eterm is vulnerable to a buffer overflow of the ETERMPATH environment variable. This bug can be exploited to gain the privileges of the group "utmp" on a system where eterm is installed. | ||||||||
| Alerts: |
| ||||||||
gzip: insecure temporary files
| Package(s): | gzip | CVE #(s): | CVE-1999-1332 CAN-2003-0367 | ||||||||||||
| Created: | June 9, 2003 | Updated: | June 16, 2003 | ||||||||||||
| Description: | Paul Szabo discovered that znew, a script included in the gzip
package, creates its temporary files without taking precautions to
avoid a symlink attack (CAN-2003-0367).
The gzexe script has a similar vulnerability which was patched in an earlier release but inadvertently reverted. | ||||||||||||||
| Alerts: |
| ||||||||||||||
hanterm: two vulnerabilities in Hangul Terminal
| Package(s): | hanterm | CVE #(s): | CAN-2003-0077 CAN-2003-0079 | ||||||
| Created: | June 6, 2003 | Updated: | June 11, 2003 | ||||||
| Description: | Hangul Terminal is a terminal emulator for the X Window System, based on Xterm.
Hangul Terminal provides an escape sequence for reporting the current window title, which essentially takes the current title and places it directly on the command line. An attacker can craft an escape sequence that sets the window title of a victim using Hangul Terminal to an arbitrary command and then report it to the command line. Since it is not possible to embed a carriage return into the window title the attacker would then have to convince the victim to press Enter for it to process the title as a command, although the attacker could craft other escape sequences that might convince the victim to do so. In addition, it is possible to lock up Hangul Terminal before version 2.0.5 by sending an invalid DEC UDK escape sequence. | ||||||||
| Alerts: |
| ||||||||
KDE: vulnerability in SSL implementation
| Package(s): | KDE | CVE #(s): | CAN-2003-0370 | |||
| Created: | June 6, 2003 | Updated: | June 11, 2003 | |||
| Description: | KDE versions 2.2.2 and earlier have a vulnerability in their SSL implementation that makes it possible for users of Konqueror and other SSL enabled KDE software to fall victim to a man-in-the-middle attack. | |||||
| Alerts: |
| |||||
mod_php: integer overflow
| Package(s): | mod_php php | CVE #(s): | ||||
| Created: | June 9, 2003 | Updated: | June 12, 2003 | |||
| Description: | The PHP emalloc() function implements the error safe wrapper around
malloc(). Unfortunately this function suffers from an integer overflow and
considering the fact that emalloc() is used in many places around PHP
source code, it may lead to many serious security issues. Read the full
advisory.
The function str_repeat(string input, int multiplier) returns input repeated multiplier times. The implementation of this function suffers from a simple integer overflow caused by a very long second argument and could allow a local/remote attacker in the worst case to gain control over the web server. Read the full advisory. The function array_pad(array input, int pad_size, mixed pad_value) returns a copy of the input padded to size specified by pad_size with pad_value. Unfortunately the implementation of this function suffers from an integer overflow caused by a very long second argument and could allow a local/remote attacker in the worst case to gain control over the web server. Read the full advisory. | |||||
| Alerts: |
| |||||
XaoS: improper setuid-root execution
| Package(s): | xaos | CVE #(s): | ||||
| Created: | June 9, 2003 | Updated: | June 11, 2003 | |||
| Description: | XaoS, a program for displaying fractal images, is installed setuid root on certain architectures in order to use svgalib, which requires access to the video hardware. However, it is not designed for secure setuid execution, and can be exploited to gain root privileges. | |||||
| Alerts: |
| |||||
Updated vulnerabilities
LPRng: insecure temporary file
| Package(s): | LPRng | CVE #(s): | CAN-2003-0136 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | June 16, 2003 | ||||||||||||||||||
| Description: | Karol Lewandowski discovered that psbanner, a printer filter that creates a PostScript format banner and is part of LPRng, insecurely creates a temporary file for debugging purpose when it is configured as filter. The program does not check whether this file already exists or is linked to another place writes its current environment and called arguments to the file unconditionally with the user id daemon. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
perl-MailTools: remote command execution
| Package(s): | MailTools | CVE #(s): | CAN-2002-1271 | |||||||||||||||
| Created: | November 5, 2002 | Updated: | September 19, 2003 | |||||||||||||||
| Description: | The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Apache 2 - denial of service
| Package(s): | apache | CVE #(s): | CAN-2003-0189 CAN-2003-0245 | ||||||||||||||||||
| Created: | May 28, 2003 | Updated: | June 16, 2003 | ||||||||||||||||||
| Description: | A new set of denial of service vulnerabilities has been found in Apache versions 2.0 through 2.0.45. The potential for a remote code exploit apparently exists as well. See the Apache 2.0.46 announcement for more information. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc | CVE #(s): | CAN-2002-0651 CAN-2002-0684 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
Canna server: exploitable buffer overrun
| Package(s): | canna | CVE #(s): | CAN-2002-1158 CAN-2002-1159 | ||||||||||||
| Created: | December 10, 2002 | Updated: | October 1, 2003 | ||||||||||||
| Description: | Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue. A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159) | ||||||||||||||
| Alerts: |
| ||||||||||||||
CUPS: vulnerability in the CUPS IPP implementation
| Package(s): | cups | CVE #(s): | CAN-2003-0195 | ||||||||||||||||||||||||
| Created: | May 27, 2003 | Updated: | July 22, 2003 | ||||||||||||||||||||||||
| Description: | Phil D'Amore of Red Hat discovered a vulnerability in the CUPS IPP (Internet Printing Protocol) implementation. The IPP implementation is single-threaded, which means only one request can be serviced at a time. An attacker could make a partial request that does not time out and therefore creates a denial of service. In order to exploit this bug, an attacker must have the ability to make a TCP connection to the IPP port (by default 631). | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
dvips: command execution vulnerability
| Package(s): | dvips | CVE #(s): | CAN-2002-0836 | ||||||||||||||||||||||||
| Created: | October 16, 2002 | Updated: | June 10, 2003 | ||||||||||||||||||||||||
| Description: | The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
ethereal - format string vulnerability
| Package(s): | ethereal | CVE #(s): | CAN-2003-0081 | ||||||||||||||||||
| Created: | March 10, 2003 | Updated: | June 12, 2003 | ||||||||||||||||||
| Description: | The SOCKS dissector in Ethereal 0.9.9 is susceptible to a format string overflow. This vulnerability has been present in Ethereal since the SOCKS dissector was introduced in version 0.8.7. It was discovered by Georgi Guninski. Additionally, the NTLMSSP code is susceptible to a heap overflow. All users of Ethereal 0.9.9 and below are encouraged to upgrade. See the full advisory for additional information. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
fetchmail: buffer overflow
| Package(s): | fetchmail | CVE #(s): | CAN-2002-1365 | ||||||||||||||||||||||||
| Created: | December 17, 2002 | Updated: | October 20, 2003 | ||||||||||||||||||||||||
| Description: | Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
file - memory allocation problem, stack overflow
| Package(s): | file | CVE #(s): | CAN-2003-0102 | |||||||||||||||||||||||||||||||||
| Created: | March 4, 2003 | Updated: | June 4, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Jeff Johnson found a memory allocation problem and David Endler found a stack overflow corruption problem in the file "Automatic File Content Type Recognition Tool" version 3.41. Nalin Dahyabhai improved ELF section and program header handling in file version 3.40. The folks at OpenPKG believe that file versions without those modifications are vulnerable to memory allocation and stack overflow problems which put security at risk. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
gPS: multiple vulnerabilities
| Package(s): | gPS | CVE #(s): | ||||
| Created: | May 29, 2003 | Updated: | June 3, 2003 | |||
| Description: | gPS is a graphical application to watch system processes. In release 1.1.0 of the gps package, several security vulnerabilities were fixed, including several buffer overflows and a problem where any host could connect to the server. | |||||
| Alerts: |
| |||||
ghostscript: command execution vulnerability
| Package(s): | ghostscript | CVE #(s): | CAN-2003-0354 | |||||||||||||||
| Created: | June 2, 2003 | Updated: | June 16, 2003 | |||||||||||||||
| Description: | A flaw in unpatched versions of Ghostscript before 7.07 allows malicious postscript files to execute arbitrary commands even with -dSAFER enabled. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Potential remote root exploit in glibc
| Package(s): | glibc | CVE #(s): | CAN-2002-0391 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | August 14, 2002 | Updated: | June 29, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2002-1146 | |||||||||
| Created: | November 7, 2002 | Updated: | February 5, 2004 | |||||||||
| Description: | DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash). | |||||||||||
| Alerts: |
| |||||||||||
gnupg: key validation
| Package(s): | gnupg | CVE #(s): | CAN-2003-0255 | |||||||||||||||||||||||||||
| Created: | May 15, 2003 | Updated: | November 17, 2003 | |||||||||||||||||||||||||||
| Description: | A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
IMP - SQL injection vulnerability
| Package(s): | imp | CVE #(s): | CAN-2003-0025 | |||||||||
| Created: | January 15, 2003 | Updated: | July 8, 2003 | |||||||||
| Description: | The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL injection; see this advisory for details. Version 3.x is not vulnerable to this problem. | |||||||||||
| Alerts: |
| |||||||||||
kde: arbitrary code execution
| Package(s): | kde | CVE #(s): | CAN-2003-0204 | ||||||||||||||||||||||||||||||||||||
| Created: | April 10, 2003 | Updated: | June 30, 2003 | ||||||||||||||||||||||||||||||||||||
| Description: | The KDE Security team has issued an advisory
on a vulnerability present in all versions of KDE that allow a remote
attacker to execute arbitrary commands under your account. KDE 3.0.5b and
KDE 3.1.1a have been released to address this problem. For KDE 2.2.2
patches to the KDE 2.2.2 sources have been made available.
KDE uses Ghostscript software for processing of PostScript (PS) and PDF files in a way that allows for the execution of arbitrary commands that can be contained in such files. An attacker can prepare a malicious PostScript or PDF file which will provide the attacker with access to the victim's account and privileges when the victim opens this malicious file for viewing or when the victim browses a directory containing such malicious file and has file previews enabled. An attacker can provide malicious files remotely to a victim in an e-mail, as part of a webpage, via an ftp server and possible other means. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
kernel - ptrace-related vulnerability
| Package(s): | kernel | CVE #(s): | CAN-2003-0127 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2003 | Updated: | June 30, 2003 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Versions 2.2.x and 2.4.x of the Linux kernel contain a vulnerability in ptrace() which may be exploited by a local user to obtain root access. This announcement contains the details and a patch for 2.4.20. For 2.2 users, 2.2.25 has been released which contains the fix. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel 2.4 - two new vulnerabilities
| Package(s): | kernel | CVE #(s): | CAN-2003-0244 CAN-2003-0246 | ||||||||||||||||||||||||||||||||||||
| Created: | May 14, 2003 | Updated: | July 25, 2003 | ||||||||||||||||||||||||||||||||||||
| Description: | The 2.4.20 (and prior) kernel contains a couple of vulnerabilities that are worth fixing.
| ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
kon2: buffer overflow allows local users to obtain root privileges
| Package(s): | kon2 | CVE #(s): | CAN-2002-1155 | |||||||||
| Created: | June 3, 2003 | Updated: | June 16, 2003 | |||||||||
| Description: | KON is a Kanji emulator for the console. There is a buffer overflow vulnerability in the command line parsing code portion of the kon program up to and including version 0.3.9b. This vulnerability, if appropriately exploited, can lead to local users being able to gain elevated (root) privileges. | |||||||||||
| Alerts: |
| |||||||||||
kopete: vulnerabiliy in GnuPG plugin
| Package(s): | kopete | CVE #(s): | CAN-2003-0256 | |||||||||
| Created: | May 8, 2003 | Updated: | June 27, 2003 | |||||||||
| Description: | A vulnerability was discovered in versions of kopete prior to 0.6.2. Kopete is a KDE instant messenger client. This vulnerabiliy is in the GnuPG plugin that allows for users to send each other GPG-encrypted instant messages. The plugin passes encrypted messages to gpg, but does no checking to sanitize the commandline passed to gpg. This can allow remote users to execute arbitrary code, with the permissions of the user running kopete, on the local system. | |||||||||||
| Alerts: |
| |||||||||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
lv: privilege escalation
| Package(s): | lv | CVE #(s): | CAN-2003-0188 | ||||||||||||
| Created: | May 15, 2003 | Updated: | June 4, 2003 | ||||||||||||
| Description: | Leonard Stiles discovered that lv, a multilingual file viewer, would read options from a configuration file in the current directory. Because such a file could be placed there by a malicious user, and lv configuration options can be used to execute commands, this represented a security vulnerability. An attacker could gain the privileges of the user invoking lv, including root. | ||||||||||||||
| Alerts: |
| ||||||||||||||
lynx: CRLF injection vulnerability
| Package(s): | lynx | CVE #(s): | CAN-2002-1405 | |||||||||||||||||||||
| Created: | November 19, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||
| Description: | If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Nessus NASL scripting engine security issues
| Package(s): | nessus | CVE #(s): | ||||
| Created: | May 27, 2003 | Updated: | August 12, 2004 | |||
| Description: | Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information. | |||||
| Alerts: |
| |||||
net-snmp: denial of service vulnerability
| Package(s): | net-snmp | CVE #(s): | CAN-2002-1170 | ||||||
| Created: | December 17, 2002 | Updated: | November 7, 2003 | ||||||
| Description: | The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet. | ||||||||
| Alerts: |
| ||||||||
nethack: buffer overflow
| Package(s): | nethack, slashem, falconseye | CVE #(s): | CAN-2003-0358 CAN-2003-0359 | |||||||||||||||
| Created: | February 18, 2003 | Updated: | July 15, 2003 | |||||||||||||||
| Description: | Overflowing a buffer in nethack may lead to privilege escalation to games
uid.
Read the the full advisory for the details. Note that falconseye does not contain the file permission error CAN-2003-0359 which affected some other nethack packages. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
netscape-flash: buffer overflow
| Package(s): | netscape-flash | CVE #(s): | |||||||
| Created: | March 10, 2003 | Updated: | June 20, 2003 | ||||||
| Description: | Potentially exploitable buffer overflows exist in the Macromedia Flash Player. The full advisory is here. "The cumulative security patch is available today and addresses the potential for exploits surrounding buffer overflows (read/write) and sandbox integrity within the player, which might allow malicious users to gain access to a user's computer. The possibility of running native code on a users machine is a theoretical exploit, and extremely difficult to execute in practice. There are no known examples of running such native code from Macromedia Flash movies; however, even though this issue is difficult and theoretical in nature only, we are encouraging users to upgrade." | ||||||||
| Alerts: |
| ||||||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
pam_xauth: root exploit
| Package(s): | pam_xauth | CVE #(s): | CAN-2002-1160 | |||||||||
| Created: | February 13, 2003 | Updated: | July 10, 2003 | |||||||||
| Description: | The pam_xauth module is used to forward xauth information from user to user
in applications such as 'su'.
Andreas Beck discovered that versions of pam_xauth supplied with Red Hat Linux since version 7.1 would forward authorization information from the root account to unprivileged users. This could be used by a local attacker to gain access to an administrator's X session. In order to exploit this vulnerability, the attacker would have to get the administrator, as root, to use su to the account belonging to the attacker. | |||||||||||
| Alerts: |
| |||||||||||
PHP: vulnerability in mail function
| Package(s): | php | CVE #(s): | CAN-2002-0985 CAN-2002-0986 | |||||||||||||||
| Created: | November 13, 2002 | Updated: | October 1, 2003 | |||||||||||||||
| Description: | Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
PostgreSQL - more buffer overflows
| Package(s): | postgresql | CVE #(s): | |
| Created: | February 12, 2003 | Updated: | November 7, 2003 |
| D |